Report of the Joint Criminal/Civil Section Working Group On Identity Theft: A Discussion Paper(Joint Session)

The Paper was presented by Josh Hawkes, Appellate Counsel, Alberta Justice. In 2006, a Joint Criminal/Civil Section Working Group on Identity Theft was established to look at:

What ancillary orders or declarations might be made in conjunction with a criminal prosecution to assist a victim in the process of rehabilitating their financial and other aspects of their identity; and

The issue of mandatory breach reporting or breach notification.

The Working Group was also tasked with the responsibility of identifying areas for further research and examination.

The presenter described the scope of the problem of identity theft including the potential for significant financial losses and lasting consequential harm to its victims such as harm to credit ratings, financial reputation as well as erroneous criminal records created in the name of the victim where stolen identity is being used by an individual apprehended for a different crime. Criminal identity theft also potentially raises national security concerns. It has been the subject of extensive study by a wide range of groups, organizations and governments both in Canada and abroad.

In terms of victim impact, the presenter indicated that studies have identified four major issues: discovery of identity theft; time spent by victims repairing or restoring their financial history; consequences of identity theft; and benefits of early discovery.

The Working Group examined the following two options for assisting victims under the criminal law:

A broader approach used in the state of South Australia, which consists of legislation that provides for a court to issue a certificate to victims of identity theft following the conviction of a person found guilty of identity theft;

A narrower approach based on California’s 'factual declaration of innocence' model, which defines “criminal identity theft” as identity theft that occurs when a suspect in a criminal investigation identifies himself or herself using the identity of another innocent person. Under this model, the victim of criminal identity theft may apply for a declaration of factual innocence, which could lead to the sealing and destruction of records. The victim who is granted an order may also apply for inclusion in the Identity Theft Registry.

The presenter noted that in the Canadian context, the approach to victim assistance in the CriminalCode has a narrow focus – sections 738 to 741.2 address the circumstances in which a restitution order may be given either to the victim or to others, and deal with the enforcement of such orders and the relationship of these provisions to other civil remedies.

The paper notes that there are limits to the extent to which the two approaches may be applied to the Canadian context. The Working Group noted the constitutional constraints and other operational limits in following the broad approach taken in South Australia or the narrow approach based on the California model including the fact that the issuance of a certificate or declaration at the conclusion of a criminal proceeding would not be provided in sufficient time for the victim to rehabilitate his or her credit history or limiting the amount of loss. Such process commences shortly after the victim is made aware of the theft.

The paper also notes that identity theft resulting in the issuance of criminal process or criminal conviction in the name of an innocent individual - which name may appear in local or national police records or databases or shared between jurisdictions both nationally and internationally - is a serious problem. The presenter noted, however, that before any solutions are proposed, further study is indicated including an examination of current practices as well further research to determine the scope of the problem in order to evaluate the need to implement a similar approach in Canada.

The Working Group also examined the legal and policy issues relating to mandatory reporting of data loss (or “breach notification”), which, among other, enables potential victims of identity theft to protect themselves. The most effective measures to minimize the risk of identity theft continue to be the subject of debate. The Working Group favoured a consistent approach to breach notification by all levels of government. Many organizations in Canada have operations and hold data from individuals in more than one jurisdiction. They would greatly benefit from uniform rules about responding to a data breach.

In considering the role of the Conference regarding the subject of identity theft, it was noted that the work of the several existing working groups and organizations looking at the issue of identity theft will need to be monitored to ensure there is no unnecessary duplication or overlap in any future work undertaken by this Conference.

To further guide the work of the Working Group, three broad conclusions were presented:

Empirical research indicates both that identity theft is significantly underreported to police or other agencies, and that time is of the essence in providing effective assistance to victims in overcoming the effects of identity theft;

Breach notification should be the subject of continued examination including civil and penal remedies such as those already developed in various jurisdictions; and

As preventive measures are a critical component of any solution to the problem of identity theft, the Conference should consider examining ways to enhance identity security with a view to reducing the risks of identity theft.

In light of these conclusions, the Working Group recommended:

That the Working Group develop a principled framework for a breach notification scheme that could be used in all jurisdictions, together with an examination of related civil remedies and processes.

That the Working Group conduct a detailed examination of remedies and processes to aid victims of identity theft where criminal or other official records have erroneously been created in the name of the victim.

That the long term objective of the group be to examine identity security, and what steps might be taken to enhance the security of identification documents and practices with a view to reducing the risks of identity theft.

Discussion:

During the discussion, several questions were raised regarding the various aspects of identity theft. One issue noted for discussion was that while remedial measures are essential in addressing identity theft, prevention is equally important. It was noted that the Working Group explored whether they should study the preventive measures component in the Paper but concluded that a number of existing groups were already currently studying that aspect of identity theft. Also raised was whether the Working Group had the opportunity to consider the notion of issuing one single piece of identification. In response, it was noted that the narrow mandate of the Working Group did not extend to this issue. In addition, it was mentioned that at least one security expert did not favour this approach because such an item would become the single factor identification that will not be questioned and this would cause more challenges in an identity theft situation. One member of the Working Group noted the importance of having persons with the proper expertise and experience, such as representatives of a privacy office, to assist the Working Group, in particular to examine the issue of breach notification.

After the discussion, the following resolution was presented:

Resolved:

1. That the Joint Criminal/Civil Section Working Group on Identity Theft:

(a) develop a principled framework for a breach notification scheme that could be used in all jurisdictions, together with an examination of related civil remedies and processes; and

(b) conduct a detailed examination of remedies and processes to aid victims of identity theft where criminal or other official records have erroneously been created in the name of the victim.